CVE-2025-28010

MEDIUM

MODX < 3.1.0 - Authenticated Stored Cross-Site Scripting via SVG Profile Image Upload

Title source: llm
STIX 2.1

Description

A cross-site scripting (XSS) vulnerability has been identified in MODX prior to 3.1.0. The vulnerability allows authenticated users to upload SVG files containing malicious JavaScript code as profile images, which gets executed in victims' browsers when viewing the profile image.

References (1)

Core 1

Scores

CVSS v3 5.4
EPSS 0.0023
EPSS Percentile 14.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (2)
modx/modx < 3.1.0
modx/revolution 0Packagist
Published Mar 13, 2025
Tracked Since Feb 18, 2026